Virus Outlook For Windows Users

Anti-Virus Firms Scrambling to Keep Up

Sophistication of Viruses and Other Threats Poses Big Challenges for Companies, Consumers

By Brian Krebs

washingtonpost.com Staff Writer

Wednesday, March 19, 2008; 11:12 AM

The sheer volume and complexity of computer viruses being released on the Internet today has the anti-virus industry on the defensive, experts say, underscoring the need for consumers to avoid relying on anti-virus software alone to keep their home computers safe and secure.

Approximately 5.5 million malicious software programs were unleashed on the Web last year, according to AV Test Labs, a German company that measures how quickly and accurately anti-virus products detect the latest malicious software, also known as "malware." That volume, AV said, forced anti-virus firms to analyze between 15,000 and 20,000 new specimens each day -- more than four times the daily average they found in 2006, and at least 15 times as many the company recorded in 2005. In the first two months of 2008 alone, AV Test found more than one million samples of malware spreading online.

"Back in 1990 we were seeing a handful of new viruses each week," said David Perry, global director of education for Trend Micro, an anti-virus company headquartered in Japan. "Now, we're having to analyze between 2,000 and 3,000 new viruses per hour."

This glut of malware is the result of a long-running digital arms race between security companies and criminals intent on stealing personal financial data from vulnerable computers and using networks of commandeered PCs for all manner of lucrative criminal enterprises -- from sending spam to hosting scam Web sites.

The rapid increase of viruses and other malware has forced the anti-virus industry to overhaul its traditional approach writing its software, with the result that security products on the market today are far more powerful and sophisticated. But many observers say that despite all its new bells and whistles, the anti-virus industry as a whole continues to fall behind in identifying the very latest malicious software.

The challenge, security experts say, is that criminal groups responsible for manufacturing most of the malicious software in circulation today are reinvesting their illicit profits in research and recruiting talented computer programmers. A special emphasis is placed on creating malware that coexists peacefully with an infected computer system, doing its work quietly in the background.

"A lot of these [malware] shops are now hiring professionals and doing quality assurance work, things that generally make the job of the anti-virus researcher that much harder," said Randy Abrams, director of technical education at ESET, an anti-virus company based in Bratislava, Slovakia.

Nightmarish Arms Race

Spurred by enormous profits, organized criminals largely based outside of the United States and Western Europe are automating the creation and modification of new viruses, making it possible to churn out thousands of variations of the same viruses every few hours in a bid to stay a step ahead of the anti-virus firms.

Malware writers increasingly are taking steps to ensure that computers infected with their creations stay infected, according to security researchers. In years past, no matter how quickly an anti-virus product shipped updates to detect the most recent malware, most anti-virus software would eventually sound the alarm if a virus managed to slip past its initial defenses.

But more of today's cyber criminals are continuously updating the malware they have managed to install on victims' computers replacing older malicious files with new ones in a bid to keep them hidden.

This strategy has had a profound impact on the daily operations of anti-virus companies. The industry has traditionally fought malware by maintaining large libraries of digital genes known as "signatures," tiny snippets of computer code pulled from known viruses and worms. Under this tried-and-true method, if the anti-virus software spots a match between a virus signature in its database and segment of code in the user's downloaded file or e-mail, the security software will alert that user that the program is malicious and attempt to block it from gaining a foothold on the system.

But the large volume of malware that anti-virus firms are processing each day has made it virtually impossible for those companies to create individual signatures for each new specimen. Instead, the anti-virus firms have been forced to invest heavily in methods and technologies for automating new malware analysis.

Anti-Virus Firms Scrambling to Keep Up

For its part, Sunbelt Software, a security software company based in Clearwater, Fla., recently added more than 50 new servers to its malware analysis center to lighten the load of a lab already straining under the daily deluge of new virus samples.

"We've had to bring in a great deal more hardware and come up with tons of different new detection methods just to deal with the incoming malware load in the past year," Sunbelt President Alex Eckelberry said.

Much of that automation involves creating more generic signatures capable of detecting a broader range of malicious files. That approach relies less on recognizing any telltale code fragment than it does identifying a suspicious type of behavior or overall resemblance to a well-known family of malicious software.

This labor- and time-saving method has its shortcomings, however. For one thing, employing more generic detection methods can lead to a greater number of false alarms, wherein innocent files are mistaken for viruses. These kinds of errors can be extremely disruptive for customers, and they've become more common as anti-virus makers have increased their reliance on generic detection methods, said Andreas Marx, managing director for AV Test.

Marx said that while all anti-virus companies maintain comprehensive lists of known "good" files with which to test their daily anti-virus updates and avoid false alarms, many times those tests are never conducted.

"It looks like more and more that for time reasons these scans are not even performed, but the update is released 'as is,' putting the users at a high risk to destroy their running, non-infected systems," Marx said.

A handful of these so-called false positives have had a fairly broad impact on customers. In December, Russian anti-virus maker Kaspersky erroneously flagged Windows Explorer -- the visual interface for Windows itself -- as a Trojan horse program. Earlier in the year, a faulty update to certain versions of Symantec's Norton Antivirus program detected two essential Windows components as malicious, crippling millions of Windows PCs.

Headache for Consumers

Malicious software is becoming harder to remove because more virus writers are including components that bury the malicious files deeper within the operating system. For many users, some of today's most tenacious intruders cannot easily be removed without re-installing the operating system. Re-installing isn't such a huge hassle for business, which tend to keep user-generated data files in separate digital storage bins than the underlying operating system. Indeed, for some businesses, a virus infection is grounds to rebuild the infected machine with a known safe copy of Windows and any other needed applications.

But home users often will try almost anything before re-installing Windows, mainly because they typically do not have those same data and system backup plans in place, said Don Jackson, a senior security researcher for Atlanta-based SecureWorks.

"Comprehensive remediation of infections is badly hurt by generic detection, and unfortunately a lot of today's infections are extremely difficult for the average user to remove completely," Jackson said. "You can see the evidence of that by number of people desperately posting to various security self-help sites."

An increasing reliance on generic detection also has made it more difficult for consumers to find instructions online for removing an infection that can't be completely eradicated by anti-virus software. Instead of pinpointing a malicious intruder with a specific filename (e.g. "MyTob Worm.AB"), generic signatures often will assign plain vanilla names to malware files, such as "Generic Trojan Dropper," or "Backdoor.generic." Such vague names entered into a search engine produce so many results that people with machines victimized by such malware often are at a loss as to how to proceed, said David Harley, an anti-virus consultant and administrator of the Anti-Virus Information Exchange Network (AVIEN), a group made up of corporate IT security administrators who share trends and data on the latest malware threats. .

"What happens now is some stuff can be removed generically, and that does happen, but a lot of the time [the victim's anti-virus product] says I think you have a problem here, but I'm afraid you're going to have to sort it out yourself," Harley said. "That puts the user who just wants this stuff off his machine in a terribly awkward position."

Experts say PC users shouldn't depend on anti-virus software to save them from risky online behaviors, such as clicking on Web links included in unsolicited e-mail and instant messages. Rather, they say, anti-virus should be part of a layered security approach that includes using a firewall to keep out unwanted Internet traffic and applying software updates for both Microsoft Windows and third-party software -- particularly popular programs used to display documents or play audio and video files.

"The problem is that we have this ongoing, unrealistic expectation that somehow we are going to detect 100 percent of the malware out there, when in fact what we have today is slightly less detection than we did, say, in the mid-1990s, when we were actually catching 70 to 80 percent of the new threats," said AVIEN's Harley.

For security researchers on the bleeding edge of defending information networks, even those less-than-stellar numbers may be seem a bit inflated. Jerry Dixon, director of analysis for Team Cymru, a security research firm in Burr Ridge, Ill., said his team recently submitted more than 1,000 samples of brand new malware for scanning by 32 different commercial anti-virus products from around the globe. The result: Only 37 percent of the programs were detected as malicious by any of the products.

"The real challenge here is for people to get it through their heads that anti-virus is not a panacea, and that it's always going to fall short of identifying threats in real-time," said Trend's Perry. "The challenge for us as an industry is to try to change that perception, while at the same time integrating new threat mitigation features into our products."